Loading ...

Play interactive tourEdit tour

Analysis Report Quotation ATB-PR28500KINH.exe

Overview

General Information

Sample Name:Quotation ATB-PR28500KINH.exe
Analysis ID:321011
MD5:d17a52d8263a29f0afffc30761720be6
SHA1:ff9fa32a78a32e735ea679041af9346947c0e6de
SHA256:96a34a59ffd94ac128d876e672507847b2ca5261b5819ae1db1402ff641375ad
Tags:exe

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains an invalid checksum
PE file contains strange resources
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • Quotation ATB-PR28500KINH.exe (PID: 6964 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: D17A52D8263A29F0AFFFC30761720BE6)
    • Quotation ATB-PR28500KINH.exe (PID: 5776 cmdline: Quotation ATB-PR28500KINH.exe MD5: D17A52D8263A29F0AFFFC30761720BE6)
      • schtasks.exe (PID: 1556 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6444 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 6668 cmdline: 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5264 cmdline: 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5440 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • taskkill.exe (PID: 5476 cmdline: taskkill /f /im 'Quotation ATB-PR28500KINH.exe' MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
        • PING.EXE (PID: 5704 cmdline: ping -n 1 -w 3000 1.1.1.1 MD5: 70C24A306F768936563ABDADB9CA9108)
  • Quotation ATB-PR28500KINH.exe (PID: 5904 cmdline: 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0 MD5: D17A52D8263A29F0AFFFC30761720BE6)
    • WerFault.exe (PID: 6796 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0x4b59d:$a: NanoCore
    • 0x4b5f6:$a: NanoCore
    • 0x4b633:$a: NanoCore
    • 0x4b6ac:$a: NanoCore
    • 0x5ed57:$a: NanoCore
    • 0x5ed6c:$a: NanoCore
    • 0x5eda1:$a: NanoCore
    • 0x77d3b:$a: NanoCore
    • 0x77d50:$a: NanoCore
    • 0x77d85:$a: NanoCore
    • 0x4b5ff:$b: ClientPlugin
    • 0x4b63c:$b: ClientPlugin
    • 0x4bf3a:$b: ClientPlugin
    • 0x4bf47:$b: ClientPlugin
    • 0x5eb13:$b: ClientPlugin
    • 0x5eb2e:$b: ClientPlugin
    • 0x5eb5e:$b: ClientPlugin
    • 0x5ed75:$b: ClientPlugin
    • 0x5edaa:$b: ClientPlugin
    • 0x77af7:$b: ClientPlugin
    • 0x77b12:$b: ClientPlugin
    00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x350b:$x1: NanoCore.ClientPluginHost
    • 0x3525:$x2: IClientNetworkHost
    00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0x350b:$x2: NanoCore.ClientPluginHost
    • 0x52b6:$s4: PipeCreated
    • 0x34f8:$s5: IClientLoggingHost
    00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 48 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x170b:$x1: NanoCore.ClientPluginHost
      • 0x1725:$x2: IClientNetworkHost
      3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x170b:$x2: NanoCore.ClientPluginHost
      • 0x34b6:$s4: PipeCreated
      • 0x16f8:$s5: IClientLoggingHost
      3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x6da5:$x1: NanoCore.ClientPluginHost
      • 0x6dd2:$x2: IClientNetworkHost
      3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0x6da5:$x2: NanoCore.ClientPluginHost
      • 0x7d74:$s2: FileCommand
      • 0xc776:$s4: PipeCreated
      • 0x6dbf:$s5: IClientLoggingHost
      3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0x41ee:$x1: NanoCore.ClientPluginHost
      • 0x422b:$x2: IClientNetworkHost
      Click to see the 35 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ProcessId: 5776, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
      Sigma detected: Scheduled temp file as task from temp locationShow sources
      Source: Process startedAuthor: Joe Security: Data: Command: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp', CommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp', CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: Quotation ATB-PR28500KINH.exe, ParentImage: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe, ParentProcessId: 5776, ProcessCommandLine: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp', ProcessId: 1556

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: Quotation ATB-PR28500KINH.exe.5776.3.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.140.53.139"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE
      Machine Learning detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\4esdJoe Sandbox ML: detected
      Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: Quotation ATB-PR28500KINH.exeJoe Sandbox ML: detected
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpackAvira: Label: TR/Dropper.MSIL.Gen7

      Networking:

      barindex
      Uses ping.exe to check the status of other devices and networksShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: global trafficTCP traffic: 192.168.2.4:49746 -> 185.140.53.139:1430
      Source: Joe Sandbox ViewIP Address: 1.1.1.1 1.1.1.1
      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
      Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
      Source: unknownDNS traffic detected: queries for: petroleum.sytes.net
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
      Source: WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 0_2_00746ED1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_00F86ED1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_0311E471
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_0311E480
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_0311BBD4
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDEC59
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDF8D0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD8578
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD8646
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD12C0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD0240
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDD258
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDBD60
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD8F73
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDC978
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD7970
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CD88C8
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDCA36
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074BAF68
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B7548
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B6C78
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B0378
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B0040
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B25F0
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B0920
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B6930
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_074B00FE
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 7_2_008E6ED1
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 4esd.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: HJdyTuap.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.836297647.0000000005660000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameINFmfMfZgCqnbcnu.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000003.716656516.00000000017D8000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAForge.Video.DirectShow.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameNAudio.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceClientPlugin.dll4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.835818804.0000000006560000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.826732674.00000000016FA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.806393399.0000000005700000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameINFmfMfZgCqnbcnu.bounce.exe4 vs Quotation ATB-PR28500KINH.exe
      Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.805904969.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Quotation ATB-PR28500KINH.exe
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dll
      Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7490000.12.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7410000.8.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7460000.11.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7450000.10.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.59a0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.6320000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.7440000.9.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 4esd.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: HJdyTuap.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
      Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@45818/14@1/3
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\4esdJump to behavior
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6492:120:WilError_01
      Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5904
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_01
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Startup_shellcode_006
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{c7093f5f-20e4-4efa-a2b8-e96b9af4ad8c}
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5BDB.tmpJump to behavior
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;Quotation ATB-PR28500KINH.exe&quot;)
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile read: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
      Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: Quotation ATB-PR28500KINH.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
      Source: Binary string: (PGo0C:\Windows\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836776558.00000000072CC000.00000004.00000010.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
      Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
      Source: Binary string: System.pdb" source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: wkernel32.pdb source: WerFault.exe, 0000000C.00000003.755396910.0000000000DCE000.00000004.00000001.sdmp
      Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: mscoreei.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: powrprof.pdbO source: WerFault.exe, 0000000C.00000003.764146679.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb source: WerFault.exe, 0000000C.00000003.754559178.0000000000DC3000.00000004.00000001.sdmp
      Source: Binary string: profapi.pdb4 source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: shcore.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: clr.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: oleaut32.pdb* source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdbi source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: wgdi32.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: wsspicli.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: mscorlib.ni.pdbL source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: shell32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb source: WerFault.exe, 0000000C.00000003.755538728.0000000000DD4000.00000004.00000001.sdmp
      Source: Binary string: wimm32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: wwin32u.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: wUxTheme.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: i.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: mscoree.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: System.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: wntdll.pdb( source: WerFault.exe, 0000000C.00000003.754559178.0000000000DC3000.00000004.00000001.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: profapi.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: wgdi32full.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: symbols\dll\mscorlib.pdb source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836776558.00000000072CC000.00000004.00000010.sdmp
      Source: Binary string: shlwapi.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdb" source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: sechost.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: System.ni.pdbRSDS source: WERD2B1.tmp.dmp.12.dr
      Source: Binary string: clrjit.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: ucrtbase.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: msvcr120_clr0400.i386.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb2 source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.827053234.00000000017CF000.00000004.00000001.sdmp
      Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msvcr120_clr0400.i386.pdb% source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbRSDS source: WERD2B1.tmp.dmp.12.dr
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: ole32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: version.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: System.ni.pdbj source: WerFault.exe, 0000000C.00000003.764414638.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000C.00000003.764739559.0000000005010000.00000004.00000040.sdmp
      Source: Binary string: msctf.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: psapi.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb source: WerFault.exe, 0000000C.00000003.764619043.0000000004F42000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: System.pdbL source: WerFault.exe, 0000000C.00000003.764262805.0000000004F42000.00000004.00000001.sdmp
      Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: mscoreei.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: wkernelbase.pdb( source: WerFault.exe, 0000000C.00000003.755538728.0000000000DD4000.00000004.00000001.sdmp
      Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000C.00000003.764182591.0000000004F11000.00000004.00000001.sdmp
      Source: Binary string: System.Drawing.pdb source: WerFault.exe, 0000000C.00000003.764684181.0000000005023000.00000004.00000040.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: combase.pdb source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: System.Drawing.pdbx source: WerFault.exe, 0000000C.00000002.794748527.00000000051C0000.00000004.00000001.sdmp
      Source: Binary string: combase.pdbk source: WerFault.exe, 0000000C.00000003.764133803.0000000005012000.00000004.00000040.sdmp
      Source: Binary string: wkernel32.pdb( source: WerFault.exe, 0000000C.00000003.755396910.0000000000DCE000.00000004.00000001.sdmp
      Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: Windows.Storage.pdbo source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32L~ source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836393028.0000000006A70000.00000004.00000001.sdmp
      Source: Binary string: wuser32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: msasn1.pdb> source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: version.pdb, source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: System.Drawing.pdbj source: WerFault.exe, 0000000C.00000003.764414638.0000000005023000.00000004.00000040.sdmp
      Source: Binary string: System.ni.pdb source: WerFault.exe, 0000000C.00000003.764730868.0000000004F00000.00000004.00000001.sdmp, WERD2B1.tmp.dmp.12.dr
      Source: Binary string: mscorlib.ni.pdbo source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp
      Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000C.00000003.764375819.0000000005019000.00000004.00000040.sdmp

      Data Obfuscation:

      barindex
      .NET source code contains potential unpackerShow sources
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
      Source: HJdyTuap.exe.0.drStatic PE information: real checksum: 0x100e9b should be: 0x101c9b
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDEC42 push es; ret
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeCode function: 3_2_05CDEC22 push es; ret
      Source: initial sampleStatic PE information: section name: .text entropy: 7.86677123443
      Source: initial sampleStatic PE information: section name: .text entropy: 7.86677123443
      Source: initial sampleStatic PE information: section name: .text entropy: 7.86677123443
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
      Source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\4esdJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\4esdJump to dropped file

      Boot Survival:

      barindex
      Drops PE files to the startup folderShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeFile opened: C:\Users\user\AppData\Roaming\4esd:Zone.Identifier read attributes | delete
      Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicket
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

      Malware Analysis System Evasion:

      barindex
      Uses ping.exe to sleepShow sources
      Source: unknownProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 874
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 5053
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: threadDelayed 4445
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: foregroundWindowGot 421
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWindow / User API: foregroundWindowGot 358
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exeJump to dropped file
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 6264Thread sleep time: -16602069666338586s >= -30000s
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe TID: 5720Thread sleep count: 113 > 30
      Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeLast function: Thread delayed
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.836297647.0000000005660000.00000004.00000001.sdmp, Quotation ATB-PR28500KINH.exe, 00000007.00000002.806393399.0000000005700000.00000004.00000001.sdmpBinary or memory string: U!W5=T#TqeMuR=y
      Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: WerFault.exe, 0000000C.00000002.794075549.0000000004C20000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWP
      Source: WerFault.exe, 0000000C.00000002.794115721.0000000004C4A000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
      Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.826998709.00000000017A4000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
      Source: WerFault.exe, 0000000C.00000002.794218928.0000000004D10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\WerFault.exeProcess token adjusted: Debug
      Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Maps a DLL or memory area into another processShow sources
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeSection loaded: unknown target: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe protection: execute and read and write
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe Quotation ATB-PR28500KINH.exe
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping -n 1 -w 3000 1.1.1.1
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.828047366.000000000353F000.00000004.00000001.sdmpBinary or memory string: Program Managerh
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.837503016.000000000794E000.00000004.00000010.sdmpBinary or memory string: Program Managerram Manager,1
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.828047366.000000000353F000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.836146987.000000000694D000.00000004.00000010.sdmpBinary or memory string: Program Managerram Manager
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
      Source: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: Quotation ATB-PR28500KINH.exe, 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000003.716656516.00000000017D8000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: Quotation ATB-PR28500KINH.exe, 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Source: Quotation ATB-PR28500KINH.exe, 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5776, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 6964, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: Quotation ATB-PR28500KINH.exe PID: 5904, type: MEMORY
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.raw.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 3.2.Quotation ATB-PR28500KINH.exe.5cb0000.5.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management Instrumentation11Startup Items1Startup Items1Disable or Modify Tools11Input Capture11System Information Discovery23Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/Job1DLL Side-Loading1DLL Side-Loading1Deobfuscate/Decode Files or Information1LSASS MemorySecurity Software Discovery21Remote Desktop ProtocolInput Capture11Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Scheduled Task/Job1Process Injection112Obfuscated Files or Information2Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Registry Run Keys / Startup Folder12Scheduled Task/Job1Software Packing13NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptRegistry Run Keys / Startup Folder12DLL Side-Loading1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol1Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsRemote System Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsModify Registry1DCSyncSystem Network Configuration Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Hidden Files and Directories1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 signatures2 2 Behavior Graph ID: 321011 Sample: Quotation ATB-PR28500KINH.exe Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Sigma detected: Scheduled temp file as task from temp location 2->62 64 11 other signatures 2->64 8 Quotation ATB-PR28500KINH.exe 3 2->8         started        12 Quotation ATB-PR28500KINH.exe 2->12         started        process3 file4 42 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 8->42 dropped 44 C:\Users\user\AppData\Roaming\4esd, PE32 8->44 dropped 46 C:\Users\user\...\4esd:Zone.Identifier, ASCII 8->46 dropped 68 Maps a DLL or memory area into another process 8->68 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->70 14 Quotation ATB-PR28500KINH.exe 12 8->14         started        18 WerFault.exe 12->18         started        signatures5 process6 dnsIp7 54 petroleum.sytes.net 185.140.53.139, 1430, 49746 DAVID_CRAIGGG Sweden 14->54 48 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 14->48 dropped 50 C:\Users\user\AppData\Local\...\tmp5BDB.tmp, XML 14->50 dropped 20 cmd.exe 14->20         started        24 schtasks.exe 14->24         started        26 schtasks.exe 14->26         started        28 schtasks.exe 14->28         started        56 192.168.2.1 unknown unknown 18->56 file8 process9 dnsIp10 52 1.1.1.1 CLOUDFLARENETUS Australia 20->52 66 Uses ping.exe to sleep 20->66 30 conhost.exe 20->30         started        32 taskkill.exe 20->32         started        34 PING.EXE 20->34         started        36 conhost.exe 24->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        signatures11 process12

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      Quotation ATB-PR28500KINH.exe100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Roaming\4esd100%Joe Sandbox ML
      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe100%Joe Sandbox ML

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      3.2.Quotation ATB-PR28500KINH.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      0.2.Quotation ATB-PR28500KINH.exe.5360000.1.unpack100%AviraTR/Dropper.MSIL.Gen7Download File

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      petroleum.sytes.net
      185.140.53.139
      truetrue
        unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
          high
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifierWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
            high
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.oWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
              high
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                high
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                  high
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.oWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                    high
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphoneWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                      high
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephoneWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                        high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovinceWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                          high
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                            high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                              high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                                high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/WerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                                  high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authenticationWerFault.exe, 0000000C.00000003.762392239.0000000005200000.00000004.00000001.sdmpfalse
                                    high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    1.1.1.1
                                    unknownAustralia
                                    13335CLOUDFLARENETUStrue
                                    185.140.53.139
                                    unknownSweden
                                    209623DAVID_CRAIGGGtrue

                                    Private

                                    IP
                                    192.168.2.1

                                    General Information

                                    Joe Sandbox Version:31.0.0 Red Diamond
                                    Analysis ID:321011
                                    Start date:20.11.2020
                                    Start time:09:09:53
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 12m 15s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:Quotation ATB-PR28500KINH.exe
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                    Number of analysed new started processes analysed:27
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.adwa.evad.winEXE@45818/14@1/3
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 0.3% (good quality ratio 0.1%)
                                    • Quality average: 19.1%
                                    • Quality standard deviation: 32.3%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .exe
                                    Warnings:
                                    Show All
                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • TCP Packets have been reduced to 100
                                    • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
                                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.147.198.201, 51.104.139.180, 52.155.217.156, 13.64.90.137, 20.54.26.129, 95.101.22.125, 95.101.22.134
                                    • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcoleus16.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, umwatsonrouting.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, skypedataprdcolwus16.cloudapp.net
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                    • Report size getting too big, too many NtSetInformationFile calls found.
                                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/321011/sample/Quotation ATB-PR28500KINH.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    09:10:55AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
                                    09:11:05Task SchedulerRun new task: DHCP Monitor path: "C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe" s>$(Arg0)
                                    09:11:47API Interceptor1x Sleep call for process: WerFault.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    1.1.1.1QQ9.0.1.exeGet hashmaliciousBrowse
                                    • url-quality-stat.xf.qq.com/Analyze/Data?v=1&&format=json&&qq=0&&cmd=21&&product=qqdownload
                                    185.140.53.139RFQ-BOHB-SS-FD6L4.exeGet hashmaliciousBrowse
                                      PURCHASE_FABRICS_APPAREL_100%_COOTON.exeGet hashmaliciousBrowse
                                        GT-082568-HSO-280820.DOCX.exeGet hashmaliciousBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          petroleum.sytes.netRFQ-BOHB-SS-FD6L4.exeGet hashmaliciousBrowse
                                          • 185.140.53.139
                                          new order is in the attached.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          Claim 001 & 002_pdf.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          Claim 001 & 002_JPEG.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          Product lists.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          End of the yr shipment#102120.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          ALLPLATES-P.O#008012019.pdf.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          ALLPLATES-P.O#008012019.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          Request price listing.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          894H-2CH-F-C G03 6VDC.exeGet hashmaliciousBrowse
                                          • 185.244.30.10
                                          894H-2CH-F-C G03 6VDC.exeGet hashmaliciousBrowse
                                          • 185.244.30.10

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          CLOUDFLARENETUSSaXJC2CZ8m.exeGet hashmaliciousBrowse
                                          • 104.27.133.115
                                          PO91666. pdf.exeGet hashmaliciousBrowse
                                          • 172.67.143.180
                                          BT2wDapfoI.exeGet hashmaliciousBrowse
                                          • 104.23.98.190
                                          ara.exeGet hashmaliciousBrowse
                                          • 172.65.200.133
                                          ORDER FORM DENK.exeGet hashmaliciousBrowse
                                          • 104.18.47.150
                                          araiki.exeGet hashmaliciousBrowse
                                          • 172.65.200.133
                                          arailk.exeGet hashmaliciousBrowse
                                          • 172.65.200.133
                                          https://filmconsultancy.bindwall.ml/mike@filmconsultancy.comGet hashmaliciousBrowse
                                          • 104.26.4.196
                                          https://trondiamond.co/OMMOM/OM9u8Get hashmaliciousBrowse
                                          • 104.16.18.94
                                          https://t.e.vailresorts.com/r/?id=h1bac782d,59eb410,55e61f1&VRI_v73=96008558&cmpid=EML_OPENDAYS_RESO_000_OK_SR_REN1Y_000000_TG0001_20201118_V00_EX001_LOCA_ANN_00000_000Get hashmaliciousBrowse
                                          • 104.16.149.64
                                          https://www.canva.com/design/DAEN9RlD8Vk/acBvt6UoL-DafjXmQk38pA/view?utm_content=DAEN9RlD8Vk&utm_campaign=designshare&utm_medium=link&utm_source=publishsharelinkGet hashmaliciousBrowse
                                          • 104.18.215.67
                                          https://gazeta-echo.ru/wp-includes/assets/<>/?mail=tfagot@dupaco.comGet hashmaliciousBrowse
                                          • 104.16.123.175
                                          https://go.pardot.com/e/395202/siness-insights-dashboard-html/bnmpz6/1446733421?h=AwLDfNsCVbkjEN13pzY-7AXMPolL_XMigGsJSppGaiMGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          https://www.lnepia.com.cn/app/4gnf/tiaoban.phpGet hashmaliciousBrowse
                                          • 104.27.174.80
                                          https://app.box.com/s/gdf36roak3w2fc52cgfbxuq651p0zehyGet hashmaliciousBrowse
                                          • 104.16.18.94
                                          http://revitoped.blogspot.com/2013/11/view-reference-and-camera-location.htmlGet hashmaliciousBrowse
                                          • 104.20.150.16
                                          http://WWW.ALYSSA-J-MILANO.COMGet hashmaliciousBrowse
                                          • 172.67.39.148
                                          http://septterror.tripod.com/the911basics.htmlGet hashmaliciousBrowse
                                          • 104.16.19.94
                                          https://tgcdevgroup-my.sharepoint.com/:b:/g/personal/jmoore_tgcgroup_net/EcgJdwLEdb9OriDBRaw9slAB4_8AMjn68ZCbL_ahHtwjIA?e=4%3a8pEDtO&at=9Get hashmaliciousBrowse
                                          • 104.18.215.67
                                          BANK-STATMENT _xlsx.exeGet hashmaliciousBrowse
                                          • 104.16.155.36
                                          DAVID_CRAIGGGUps file de.exeGet hashmaliciousBrowse
                                          • 185.140.53.221
                                          NyUnwsFSCa.exeGet hashmaliciousBrowse
                                          • 185.140.53.149
                                          purchase order.exeGet hashmaliciousBrowse
                                          • 185.140.53.233
                                          Remittance Details.xlsGet hashmaliciousBrowse
                                          • 185.140.53.184
                                          PaymentConfirmation.exeGet hashmaliciousBrowse
                                          • 185.140.53.183
                                          ORDER #02676.doc.exeGet hashmaliciousBrowse
                                          • 185.244.30.92
                                          b11305c6ab207f830062f80eeec728c4.exeGet hashmaliciousBrowse
                                          • 185.140.53.233
                                          ShippingDoc.jarGet hashmaliciousBrowse
                                          • 185.244.30.139
                                          1kn1ejwPxi.exeGet hashmaliciousBrowse
                                          • 185.140.53.132
                                          D6vy84I7rJ.exeGet hashmaliciousBrowse
                                          • 185.140.53.149
                                          7iatifHQEp.exeGet hashmaliciousBrowse
                                          • 185.140.53.132
                                          Sbext4ZNBq.exeGet hashmaliciousBrowse
                                          • 185.140.53.197
                                          xEdiPz1bC3.exeGet hashmaliciousBrowse
                                          • 185.140.53.234
                                          7D1wvBrRib.exeGet hashmaliciousBrowse
                                          • 185.140.53.234
                                          O8LDCTOK07.exeGet hashmaliciousBrowse
                                          • 185.140.53.233
                                          aE78QTkV5H.exeGet hashmaliciousBrowse
                                          • 185.244.30.98
                                          DHL Shipment Notice of Arrival AWB 8032697940773.jsGet hashmaliciousBrowse
                                          • 185.165.153.158
                                          ORDER-#00654.doc.....exeGet hashmaliciousBrowse
                                          • 185.165.153.116
                                          SMJshb9rCD.exeGet hashmaliciousBrowse
                                          • 185.140.53.154
                                          vUQV0nqjYx.exeGet hashmaliciousBrowse
                                          • 185.140.53.182

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_Quotation ATB-PR_96a7472fabb81873d57c13cc6bb4839cc83fbe7d_db6b27cb_1adc0d49\Report.wer
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Little-endian UTF-16 Unicode text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):12974
                                          Entropy (8bit):3.785498070011556
                                          Encrypted:false
                                          SSDEEP:192:XRUBJgHBUZMXCaPDKgNz/u7sZS274Itwa:SB2BUZMXCafz/u7sZX4Itwa
                                          MD5:2F2FBF78E2F633C7FF4B2426C1FBB252
                                          SHA1:7AE745BC94E78599D1448E1D3671B7BABF8B2382
                                          SHA-256:4A0A3803106AC706E2CA8C66292CBF9C31AFC537FD0C5D767F3059E037E17D92
                                          SHA-512:A458FC77CEE31B479725E8D2703CA92BEDE8CC5435A0C402B28AA9C1C3A2E321CFFAABE5507FC6C50E4B637629231CB2A0509E8F960CDB58FD54AC985650C022
                                          Malicious:false
                                          Reputation:low
                                          Preview: ..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.2.5.0.3.3.3.4.9.2.9.8.2.4.1.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.5.0.3.3.3.5.0.5.3.8.8.6.1.7.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.2.6.8.4.3.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.c.4.c.a.3.1.-.0.9.2.5.-.4.4.8.c.-.a.d.3.4.-.c.9.3.8.1.b.6.a.6.f.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.c.1.3.7.1.0.4.-.a.e.8.f.-.4.4.f.b.-.a.e.1.2.-.c.c.3.d.5.f.b.d.c.0.2.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.Q.u.o.t.a.t.i.o.n. .A.T.B.-.P.R.2.8.5.0.0.K.I.N.H...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.1.0.-.0.0.0.1.-.0.0.1.b.-.7.1.9.b.-.c.5.b.1.1.4.b.f.d.6.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.2.f.2.9.7.4.4.c.4.0.f.1.6.6.3.1.7.9.6.3.4.0.5.8.2.4.c.6.5.9.2.0.0.0.0.f.f.f.f.!.0.0.0.0.f.f.9.f.a.3.2.a.7.8.a.3.2.e.7.3.5.e.a.6.7.9.0.4.1.a.f.9.3.4.6.9.4.7.c.0.e.6.d.e.!.Q.u.o.t.a.t.i.o.
                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2B1.tmp.dmp
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:Mini DuMP crash report, 15 streams, Fri Nov 20 08:11:35 2020, 0x1205a4 type
                                          Category:dropped
                                          Size (bytes):295001
                                          Entropy (8bit):3.65769680944513
                                          Encrypted:false
                                          SSDEEP:3072:Qxejj2jd+p3rEITSzj9gIOgF5Hd0opUCgU0v2B+ac:8yp7HSX9RpDHd7pTj4d
                                          MD5:F400420D3DE5FFD08CE7B06BBFC22163
                                          SHA1:4FCB9A5E4C48FA626A2DAC5F66284B7FF98A0DCF
                                          SHA-256:EF4C7AF6C3909CA8BD4563FBF75FE6E1DA2ACF1B82FD2AEE5AF3D3DC8EEEDAFB
                                          SHA-512:CE282B6A34B36C8A44479FCFD03044BC6486328CAF918083CF75BB6D1B2E6244868DF570655BF6A3A14302134E889A3B469103E488BEC2DDEA3E8FF94286FDA6
                                          Malicious:false
                                          Preview: MDMP....... .......7z._...................U...........B..............GenuineIntelW...........T............z._.............................0..................W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .D.a.y.l.i.g.h.t. .T.i.m.e.......................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.............................................................................................................................................................................................................................................................................................................................................................................................................................................................d.b.g.c.o.r.e...i.3.8.6.,.1.0...0...1.7.1.3.4...1.........................................................................................................
                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE02F.tmp.WERInternalMetadata.xml
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):8456
                                          Entropy (8bit):3.7007877564809872
                                          Encrypted:false
                                          SSDEEP:192:Rrl7r3GLNipgxD6A6YInSUrgmfZSSE+pr089b9GsfVufm:RrlsNip66A6YoSUrgmfISJ9lft
                                          MD5:6B9231990CBE69E215AA01B73A512CD9
                                          SHA1:4A5CE35742B1DAB35A89B2BB85C5D0D1DB8D0A9A
                                          SHA-256:10E408A06FFF11716D95770ECA1856E860EB1EB74CFD80A6AB17F4CC8FAE9181
                                          SHA-512:CDC383C8961D52B7F6484F59C877E174B58759C96BCB3A357C329681BFB6BAD8744740B1EE336BE291706B834B726D34C56A1A67453B6B03F835D67E9E49E389
                                          Malicious:false
                                          Preview: ..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.0.4.<./.P.i.d.>.......
                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WERE447.tmp.xml
                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):4759
                                          Entropy (8bit):4.5281455634946
                                          Encrypted:false
                                          SSDEEP:48:cvIwSD8zsu9JgtWI9lBWSC8BD8fm8M4JbD2wuFJo+q8vGD2wgoA3PvT4d:uITfuXWQSNyJOwKoKNwgoIvT4d
                                          MD5:02F765C0BBD9B163338A71F640C71F79
                                          SHA1:84C77A545F43B66865A50E272962CA9FF17685AE
                                          SHA-256:1AA7F97E03E03DE5BBA572B4594DB119E5AD84A4B2C7EC00FEE40CBB85D3A349
                                          SHA-512:80ECF8B619F2CAAA5A4D09F93006E09690FBBA3393EB4A498DBE32AFC48C369C956FD81807116587F8F923C1FCCF51A85185724202747DABA576E667A4513C04
                                          Malicious:false
                                          Preview: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="736882" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..
                                          C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1315
                                          Entropy (8bit):5.1300632469751575
                                          Encrypted:false
                                          SSDEEP:24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0YsFxtn:cbk4oL600QydbQxIYODOLedq34Fj
                                          MD5:5032064659FAE03D4523250A305DB458
                                          SHA1:0DA07AFBBA69A0C72F43F4DAEAA3F66C03C67803
                                          SHA-256:B48388DDB8F395151D2B01442E2ED98581EBB71306EFAD65874F03925833DAA3
                                          SHA-512:C13773BA16F88E9FCA80F3B7C357678A5518F60DBA408F9B3918496D31FA2E7B393F318656AEA554D1D1FA8AAC1751891FDA540D50E3A69F386CBD0A43E90E80
                                          Malicious:true
                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak
                                          C:\Users\user\AppData\Roaming\4esd
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):1020416
                                          Entropy (8bit):6.749169404788789
                                          Encrypted:false
                                          SSDEEP:12288:LyiDzhROOa3duvQt8Q2bqxaCEUTxQccYH7XkoBn7jgdry9vN5airTD4y7JC:HlUO8ko92dCZBXkoBgdry5T9
                                          MD5:D17A52D8263A29F0AFFFC30761720BE6
                                          SHA1:FF9FA32A78A32E735EA679041AF9346947C0E6DE
                                          SHA-256:96A34A59FFD94AC128D876E672507847B2CA5261B5819AE1DB1402FF641375AD
                                          SHA-512:4422A7857B5ECA90DA6F53C6E5A1DCF833248DB7662165C38E5D898C7ADF471D52D9484F41A5737911FA915657A46DD4D9E0C6D6777EC37D5AF414C41299682B
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\._................................. ... ....@.. ....................................@.................................l...O.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........b..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r!..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J
                                          C:\Users\user\AppData\Roaming\4esd:Zone.Identifier
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview: [ZoneTransfer]....ZoneId=0
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):128
                                          Entropy (8bit):6.527114648336088
                                          Encrypted:false
                                          SSDEEP:3:XrURGizD7cnRH5/ljRAaTlKYrI1Sj9txROIsxcMek2:X4LDAn1rplKTYBROIsxek2
                                          MD5:0A9C5EAE8756D6FC90F59D8D71A79E1E
                                          SHA1:0F7D6AAED17CD18DC614535ED26335C147E29ED7
                                          SHA-256:B1921EA14C66927397BAF3FA456C22B93C30C3DE23546087C0B18551CE5001C5
                                          SHA-512:78C2F399AC49C78D89915DFF99AC955B5E0AB07BAAD61B07B0CE073C88C1D3A9F1D302C2413691B349DD34441B0FF909C08A4F71E2F1B73F46C1FF308BC7CF9A
                                          Malicious:false
                                          Preview: Gj.h\.3.A...5.x..&...i+..c(1.P.OT....g.t......'7......)..8zII..K/....n3...3.5.......&.7].)..wL...:}g...@...mV.....JUP...w
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:Non-ISO extended-ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):8
                                          Entropy (8bit):3.0
                                          Encrypted:false
                                          SSDEEP:3:a:a
                                          MD5:2BC381F28C6DDA11F4E277B344BA497F
                                          SHA1:DC1AE87C695345EC9845A87A84961ADCAFFEAE0D
                                          SHA-256:5DE4CE2AC8BE1B9FF2662F247073813251BAFA4E33D680C5E98203BF6D85A03E
                                          SHA-512:22D621AF54C97BCFC817AB72BA96E1A701699CD7B14C632F8FD14A232CB77EFB522C6D9F0443BB0D0EBFAC1F26FEDBF3DBEB1B90B4F2C819EDA82BFC9951B30F
                                          Malicious:true
                                          Preview: .4S.+..H
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):24
                                          Entropy (8bit):4.501629167387823
                                          Encrypted:false
                                          SSDEEP:3:9bzY6oRDIvYk:RzWDI3
                                          MD5:ACD3FB4310417DC77FE06F15B0E353E6
                                          SHA1:80E7002E655EB5765FDEB21114295CB96AD9D5EB
                                          SHA-256:DC3AE604991C9BB8FF8BC4502AE3D0DB8A3317512C0F432490B103B89C1A4368
                                          SHA-512:DA46A917DB6276CD4528CFE4AD113292D873CA2EBE53414730F442B83502E5FAF3D1AE87BFA295ADF01E3B44FDBCE239E21A318BFB2CCD1F4753846CB21F6F97
                                          Malicious:false
                                          Preview: 9iH...}Z.4..f..J".C;"a
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):64
                                          Entropy (8bit):5.320159765557392
                                          Encrypted:false
                                          SSDEEP:3:9bzY6oRDIvYVsRLY6oRDT6P2bfVn1:RzWDIfRWDT621
                                          MD5:BB0F9B9992809E733EFFF8B0E562CFD6
                                          SHA1:F0BAB3CF73A04F5A689E6AFC764FEE9276992742
                                          SHA-256:C48F04FE7525AA3A3F9540889883F649726233DE021724823720A59B4F37CEAC
                                          SHA-512:AE4280AA460DC1C0301D458A3A443F6884A0BE37481737B2ADAFD72C33C55F09BED88ED239C91FE6F19CA137AC3CD7C9B8454C21D3F8E759687F701C8B3C7A16
                                          Malicious:false
                                          Preview: 9iH...}Z.4..f..J".C;"a9iH...}Z.4..f.~a........~.~.......3.U.
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):285608
                                          Entropy (8bit):7.99942192025113
                                          Encrypted:true
                                          SSDEEP:6144:KpKR3kz0ohkLsRC9wjZ59AbuaY5O+gRGD9Hcj4Tdw:IaUYweYC9wjZ59AyA5YFc0Te
                                          MD5:30E23835B6123B3250D73C3E313FEB01
                                          SHA1:52CDA23480DA64C5B16D9F6554D6B66E9FA1AE22
                                          SHA-256:20CC3B053C43B689D3C669DDDA6DF6E3C939B2059F9FA5B578AE2BB887269EB3
                                          SHA-512:DBF82EE996D82D0DAF95A3A9733056EF1FFE80D05D6ED88514FD728E9AA29161EEA8E75B12BB77E0D0B4F81C77A26CDAE4ABC29C8FA661D40C1941CA51E1749B
                                          Malicious:false
                                          Preview: .....W*.....P&4.......E..v+...mc...C<_..0....40=......[..3.q....\..[.I.......g....=.cI5w...h{2...c..l.j...4.R..$*X..<....q%...Y.:19..Y....f.uy..Q....=t...Q....\KuA.Z...ze...?........o....BX...Eh....(FW..|Mn.B>...R.>_Yz......U..>n....h..g5.._..vY.dN..]Bi=....&.._.8...9.Et...y..h1...uMy..G...._1by.)...H.................ws...C.S..?6.i.N..........8:..t..?.Z..?^..{......."..fsb....m.<..3..<.{..;+..v..H.6.....C..r_..Hv.?....z...F.=...%2...'C...LqF]....6/,.......)WuH..~..1.W........#..D.P_.Z8..n.~c. ......F$,bI...m../..dO..O...o..).3.M,...0.q..N..n...%BtO.i...L.N.^i[.<...#_......+z.!(...y.XN....^.K. E....2n.!.wa./yy(../...b:..Oq..j2Q- ......n(..\....Q;..ue...G..#!.2.\@lH....o..\?.K.Q..=qW}..|.....6........{.Y..e:.7..P`.H.........o......}..t."C#.i.<z.4Y.e..j..G.RO.$.[.l8...A....U;(...s..C..|...y....w.7?....}.....D.h......Ip.t.8....9%./...K...#G.2.s......E........tX.}..O...X.....S.9>k.hY..-."\..X.y@w.U...|._3.]R..:.^4l......L..........
                                          C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):52
                                          Entropy (8bit):4.847275718591087
                                          Encrypted:false
                                          SSDEEP:3:oNt+WfW0fyMQkq3CAdA:oNwv0fyn3CN
                                          MD5:3E72236ED7A6619115F6B642BE43AFE9
                                          SHA1:573251F06E43A81E0295E5BAA16DB716024508E6
                                          SHA-256:99A9D3EFFFF2434AAF0B3B748E90A05F9E65279AAFEDD5031A17A50B85D84804
                                          SHA-512:4E8BFAF379951E52F5BD6E807798C91B42AC4727E30226B4E390F3657D8F0F2374D8AC54D28E56D458AA9933E0DAB8F4D25B05AA0D8D42E25E8E9B43C69A8948
                                          Malicious:false
                                          Preview: C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe
                                          Process:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):1024000
                                          Entropy (8bit):6.742030592838574
                                          Encrypted:false
                                          SSDEEP:12288:LyiDzhROOa3duvQt8Q2bqxaCEUTxQccYH7XkoBn7jgdry9vN5airTD4y7JC:HlUO8ko92dCZBXkoBgdry5T9
                                          MD5:F5612610B37DECAB1FCC717588C14DC9
                                          SHA1:E5C75A110081FF99EBEEC0FCF4F0AEBD4576365C
                                          SHA-256:C5E7B10AE0C89F2A3D7B84B2F8F4B4CFC908F9844520A401C18B1FA917F72627
                                          SHA-512:5434C1957FC35F8C656D3CB80D78A95738F9F95AE593ADD4E4341EB9781EDCF070ED73D05BDC34604AF0A3C8187D17A53B836CD74AFEAC69F3015B4602EABF17
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\._................................. ... ....@.. ....................................@.................................l...O.... ..N............................................................................ ............... ..H............text........ ...................... ..`.rsrc...N.... ......................@..@.reloc..............................@..B........................H........b..............q..............................................a.b.d.c.e.f.g.h.i.j.k.l.m.n.p.r.q.s.t.u.v.w.z.y.x.0.1.2.3.4.5.6.7.8.9.A.B.C.D.E.F.G.H.I.J.K.L.M.N.Q.P.R.T.S.V.U.W.X.Y.Z.6..(....o....*B...(.....o....&*2.(....t....*.(....&*2.t....o....*F~....~....(.....*..*..(....*.(.........(....(.........(....(....o.........*&...o....*.(....*.(....*.r!..p.....*6..{b...(^...*..o.....{a...{c....{b...oZ...(^...*.so....p...*..oq...*V.{....od....(...+...*J.{....o1....ov...*J

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.749169404788789
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:Quotation ATB-PR28500KINH.exe
                                          File size:1020416
                                          MD5:d17a52d8263a29f0afffc30761720be6
                                          SHA1:ff9fa32a78a32e735ea679041af9346947c0e6de
                                          SHA256:96a34a59ffd94ac128d876e672507847b2ca5261b5819ae1db1402ff641375ad
                                          SHA512:4422a7857b5eca90da6f53c6e5a1dcf833248db7662165c38e5d898c7adf471d52d9484f41a5737911fa915657a46dd4d9e0c6d6777ec37d5af414c41299682b
                                          SSDEEP:12288:LyiDzhROOa3duvQt8Q2bqxaCEUTxQccYH7XkoBn7jgdry9vN5airTD4y7JC:HlUO8ko92dCZBXkoBgdry5T9
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\._................................. ... ....@.. ....................................@................................

                                          File Icon

                                          Icon Hash:905ada12e9cc368b

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a02be
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                          Time Stamp:0x5FB75C82 [Fri Nov 20 06:04:50 2020 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa026c0x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5a94e.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xfe0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x9e2c40x9e400False0.921696040679data7.86677123443IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa20000x5a94e0x5aa00False0.0372737068966data2.71520754372IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xfe0000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_ICON0xa21d80x42028dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                          RT_ICON0xe42000x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                          RT_ICON0xe46680x25a8dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 2699173413, next used block 2699173413EnglishUnited States
                                          RT_ICON0xe6c100x10a8dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 3236110116, next used block 3236110116EnglishUnited States
                                          RT_ICON0xe7cb80x10828dBase III DBT, version number 0, next free block index 40EnglishUnited States
                                          RT_ICON0xf84e00x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16384, next free block index 40, next free block 2162368036, next used block 2162368036EnglishUnited States
                                          RT_GROUP_ICON0xfc7080x5adataEnglishUnited States
                                          RT_MANIFEST0xfc7640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Possible Origin

                                          Language of compilation systemCountry where language is spokenMap
                                          EnglishUnited States

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          11/20/20-09:12:05.255434ICMP382ICMP PING Windows192.168.2.41.1.1.1
                                          11/20/20-09:12:05.255434ICMP384ICMP PING192.168.2.41.1.1.1
                                          11/20/20-09:12:05.271743ICMP408ICMP Echo Reply1.1.1.1192.168.2.4

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 20, 2020 09:11:06.162385941 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:06.353456974 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:06.354152918 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:06.481832027 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:06.833503962 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:06.844383001 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:07.404095888 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:07.404191017 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:07.444233894 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:07.623275042 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:08.147453070 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:08.343122959 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:08.351376057 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:08.377119064 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:08.944329977 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:09.262830973 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.335014105 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:09.542623997 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.542661905 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.542742014 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:09.760059118 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.760092974 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.760113955 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.760384083 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:09.838969946 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:09.953277111 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.961103916 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:09.963675976 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.020148993 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.035597086 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.045161009 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.173065901 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.174911022 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.175857067 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.252923012 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.253982067 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.259377956 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.380151987 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.380192041 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.380270004 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.381738901 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.444487095 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.460597038 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.475629091 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.475977898 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.572990894 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.587924004 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.587964058 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.589173079 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.632606983 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.632781982 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.681606054 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.684663057 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.684727907 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.799019098 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.799401045 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.799453974 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.801516056 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.803524971 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.803586006 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.820532084 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.880053043 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.880091906 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:10.880122900 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.944504976 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:10.992790937 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.000396013 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.000490904 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.002490997 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.004692078 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.004790068 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.100027084 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.100064993 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.100090027 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.100145102 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.140763998 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.140868902 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.180725098 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.187408924 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.187468052 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.198352098 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.200140953 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.200234890 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.291896105 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.308805943 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.308850050 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.308893919 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.309293032 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.309348106 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.333735943 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.372874975 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.372992039 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.380755901 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.388624907 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.388752937 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.398092985 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.444595098 CET497461430192.168.2.4185.140.53.139
                                          Nov 20, 2020 09:11:11.502537012 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.510777950 CET143049746185.140.53.139192.168.2.4
                                          Nov 20, 2020 09:11:11.510870934 CET497461430192.168.2.4185.140.53.139

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 20, 2020 09:10:41.458383083 CET5585453192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:41.496007919 CET53558548.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:42.462810040 CET6454953192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:42.489907980 CET53645498.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:43.464044094 CET6315353192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:43.491096020 CET53631538.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:47.671938896 CET5299153192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:47.699071884 CET53529918.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:48.320808887 CET5370053192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:48.347871065 CET53537008.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:50.500797987 CET5172653192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:50.527892113 CET53517268.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:51.653939009 CET5679453192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:51.689568043 CET53567948.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:52.303720951 CET5653453192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:52.330918074 CET53565348.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:52.943305016 CET5662753192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:52.970468044 CET53566278.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:55.179174900 CET5662153192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:55.206325054 CET53566218.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:56.217225075 CET6311653192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:56.244373083 CET53631168.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:57.456970930 CET6407853192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:57.484074116 CET53640788.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:58.138139963 CET6480153192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:58.165324926 CET53648018.8.8.8192.168.2.4
                                          Nov 20, 2020 09:10:58.857223988 CET6172153192.168.2.48.8.8.8
                                          Nov 20, 2020 09:10:58.884437084 CET53617218.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:06.113929033 CET5125553192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:06.150907993 CET53512558.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:08.505842924 CET6152253192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:08.532984972 CET53615228.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:43.015918970 CET5233753192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:43.051492929 CET53523378.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:43.756560087 CET5504653192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:43.794301033 CET53550468.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:44.301841021 CET4961253192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:44.337428093 CET53496128.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:44.734186888 CET4928553192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:44.769825935 CET53492858.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:45.194823027 CET5060153192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:45.230434895 CET53506018.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:45.683983088 CET6087553192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:45.719835997 CET53608758.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:46.005731106 CET5644853192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:46.032888889 CET53564488.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:46.206490040 CET5917253192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:46.233680964 CET53591728.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:46.905869961 CET6242053192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:46.941170931 CET53624208.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:47.451590061 CET6057953192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:47.495317936 CET53605798.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:48.067826986 CET5018353192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:48.103645086 CET53501838.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:48.541096926 CET6153153192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:48.576716900 CET53615318.8.8.8192.168.2.4
                                          Nov 20, 2020 09:11:52.034049988 CET4922853192.168.2.48.8.8.8
                                          Nov 20, 2020 09:11:52.073638916 CET53492288.8.8.8192.168.2.4
                                          Nov 20, 2020 09:12:31.357302904 CET5979453192.168.2.48.8.8.8
                                          Nov 20, 2020 09:12:31.384423971 CET53597948.8.8.8192.168.2.4
                                          Nov 20, 2020 09:12:33.439625978 CET5591653192.168.2.48.8.8.8
                                          Nov 20, 2020 09:12:33.475292921 CET53559168.8.8.8192.168.2.4

                                          ICMP Packets

                                          TimestampSource IPDest IPChecksumCodeType
                                          Nov 20, 2020 09:12:05.255434036 CET192.168.2.41.1.1.14d5aEcho
                                          Nov 20, 2020 09:12:05.271743059 CET1.1.1.1192.168.2.4555aEcho Reply

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Nov 20, 2020 09:11:06.113929033 CET192.168.2.48.8.8.80xaf88Standard query (0)petroleum.sytes.netA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Nov 20, 2020 09:11:06.150907993 CET8.8.8.8192.168.2.40xaf88No error (0)petroleum.sytes.net185.140.53.139A (IP address)IN (0x0001)

                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:09:10:47
                                          Start date:20/11/2020
                                          Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
                                          Imagebase:0x6b0000
                                          File size:1020416 bytes
                                          MD5 hash:D17A52D8263A29F0AFFFC30761720BE6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.835747938.0000000005362000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.829501611.0000000003B71000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.835934677.000000000544C000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:09:11:00
                                          Start date:20/11/2020
                                          Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          Wow64 process (32bit):true
                                          Commandline:Quotation ATB-PR28500KINH.exe
                                          Imagebase:0xef0000
                                          File size:1020416 bytes
                                          MD5 hash:D17A52D8263A29F0AFFFC30761720BE6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.829938927.0000000004311000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.836886578.0000000007450000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.830299030.0000000004BE3000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.831913535.0000000004EBB000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.825812769.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000003.00000002.831344680.0000000004D5A000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.837010195.0000000007490000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.827301666.0000000003311000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.836861456.0000000007440000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.836791554.0000000007410000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.835558421.0000000006320000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.836910738.0000000007460000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.834879559.00000000059A0000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000002.835358110.0000000005CB0000.00000004.00000001.sdmp, Author: Joe Security
                                          Reputation:low

                                          General

                                          Start time:09:11:02
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp5BDB.tmp'
                                          Imagebase:0xcc0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:11:02
                                          Start date:20/11/2020
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:11:05
                                          Start date:20/11/2020
                                          Path:C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' 0
                                          Imagebase:0x850000
                                          File size:1020416 bytes
                                          MD5 hash:D17A52D8263A29F0AFFFC30761720BE6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.799678207.0000000003C51000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, Author: Florian Roth
                                          • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: NanoCore, Description: unknown, Source: 00000007.00000002.806053332.00000000054EC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                          Reputation:low

                                          General

                                          Start time:09:11:29
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5904 -s 7804
                                          Imagebase:0x12c0000
                                          File size:434592 bytes
                                          MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Start time:09:12:02
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'schtasks.exe' /delete /f /tn 'DHCP Monitor'
                                          Imagebase:0xcc0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:12:02
                                          Start date:20/11/2020
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:12:02
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:'schtasks.exe' /delete /f /tn 'DHCP Monitor Task'
                                          Imagebase:0xcc0000
                                          File size:185856 bytes
                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:12:03
                                          Start date:20/11/2020
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:12:03
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:'cmd.exe' /C taskkill /f /im 'Quotation ATB-PR28500KINH.exe' & ping -n 1 -w 3000 1.1.1.1 & type nul > 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe' & del /f /q 'C:\Users\user\Desktop\Quotation ATB-PR28500KINH.exe'
                                          Imagebase:0x11d0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:12:04
                                          Start date:20/11/2020
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff724c50000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:09:12:04
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                          Wow64 process (32bit):true
                                          Commandline:taskkill /f /im 'Quotation ATB-PR28500KINH.exe'
                                          Imagebase:0xa00000
                                          File size:74752 bytes
                                          MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          General

                                          Start time:09:12:04
                                          Start date:20/11/2020
                                          Path:C:\Windows\SysWOW64\PING.EXE
                                          Wow64 process (32bit):true
                                          Commandline:ping -n 1 -w 3000 1.1.1.1
                                          Imagebase:0xc90000
                                          File size:18944 bytes
                                          MD5 hash:70C24A306F768936563ABDADB9CA9108
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Disassembly

                                          Code Analysis

                                          Reset < >